Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2024 10:47
Static task
static1
Behavioral task
behavioral1
Sample
50f6e215f2e575c658c0d5f6b30c0920_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
50f6e215f2e575c658c0d5f6b30c0920_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
50f6e215f2e575c658c0d5f6b30c0920_NeikiAnalytics.exe
-
Size
2.6MB
-
MD5
50f6e215f2e575c658c0d5f6b30c0920
-
SHA1
4854e9f40453c9ac5b24bfafebec97ffb4ff6993
-
SHA256
e11b94a331595019fca9839630dcd03ebc49e44fd78117b6c4b2744e211c9f54
-
SHA512
7c8e034b6c51d17a53ab5986d91c1e466406f09ef716231dfe43b5d8408fe2ae54dc0ddff82ddd44070ecea98a91497020dc3ed0a78e091a6fa8a1da91f2a3c8
-
SSDEEP
24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4eR:ObCjPKNqQEfsw43qtmVfq4w
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.me.com - Port:
587 - Username:
[email protected] - Password:
RICHARD205lord
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 5012 jhdfkldfhndfkjdfnbfklfnf.exe 4932 winmgr119.exe 3308 winmgr119.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/928-13-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/928-15-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/928-14-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/928-20-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/4528-24-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4528-26-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4528-25-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4528-28-0x0000000000400000-0x0000000000491000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts cvtres.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" 50f6e215f2e575c658c0d5f6b30c0920_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" jhdfkldfhndfkjdfnbfklfnf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 31 icanhazip.com 33 ipinfo.io -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0014000000023371-3.dat autoit_exe behavioral2/files/0x0009000000023372-43.dat autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 5012 set thread context of 4712 5012 jhdfkldfhndfkjdfnbfklfnf.exe 99 PID 4712 set thread context of 928 4712 RegAsm.exe 102 PID 4712 set thread context of 4528 4712 RegAsm.exe 104 PID 4712 set thread context of 744 4712 RegAsm.exe 106 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 26 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 868 schtasks.exe 4276 schtasks.exe 3100 schtasks.exe 3500 schtasks.exe 5000 schtasks.exe 8 schtasks.exe 3040 schtasks.exe 2612 schtasks.exe 704 schtasks.exe 3596 schtasks.exe 904 schtasks.exe 4016 schtasks.exe 904 schtasks.exe 1560 schtasks.exe 60 schtasks.exe 3820 schtasks.exe 4080 schtasks.exe 2468 schtasks.exe 2964 schtasks.exe 452 schtasks.exe 3268 schtasks.exe 4080 schtasks.exe 4836 schtasks.exe 2104 schtasks.exe 396 schtasks.exe 532 schtasks.exe -
NTFS ADS 4 IoCs
description ioc Process File created C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA jhdfkldfhndfkjdfnbfklfnf.exe File created C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA winmgr119.exe File opened for modification C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA winmgr119.exe File created C:\Users\Admin\AppData\Local\Temp\50f6e215f2e575c658c0d5f6b30c0920_NeikiAnalytics.exe:Zone.Identifier:$DATA 50f6e215f2e575c658c0d5f6b30c0920_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3088 50f6e215f2e575c658c0d5f6b30c0920_NeikiAnalytics.exe 3088 50f6e215f2e575c658c0d5f6b30c0920_NeikiAnalytics.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 4712 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 4712 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 4932 winmgr119.exe 4932 winmgr119.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 4712 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 4712 RegAsm.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe 5012 jhdfkldfhndfkjdfnbfklfnf.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4712 RegAsm.exe Token: SeDebugPrivilege 928 cvtres.exe Token: SeDebugPrivilege 4528 cvtres.exe Token: SeDebugPrivilege 744 cvtres.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4712 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3088 wrote to memory of 5012 3088 50f6e215f2e575c658c0d5f6b30c0920_NeikiAnalytics.exe 98 PID 3088 wrote to memory of 5012 3088 50f6e215f2e575c658c0d5f6b30c0920_NeikiAnalytics.exe 98 PID 3088 wrote to memory of 5012 3088 50f6e215f2e575c658c0d5f6b30c0920_NeikiAnalytics.exe 98 PID 5012 wrote to memory of 4712 5012 jhdfkldfhndfkjdfnbfklfnf.exe 99 PID 5012 wrote to memory of 4712 5012 jhdfkldfhndfkjdfnbfklfnf.exe 99 PID 5012 wrote to memory of 4712 5012 jhdfkldfhndfkjdfnbfklfnf.exe 99 PID 5012 wrote to memory of 4712 5012 jhdfkldfhndfkjdfnbfklfnf.exe 99 PID 5012 wrote to memory of 4712 5012 jhdfkldfhndfkjdfnbfklfnf.exe 99 PID 5012 wrote to memory of 3820 5012 jhdfkldfhndfkjdfnbfklfnf.exe 100 PID 5012 wrote to memory of 3820 5012 jhdfkldfhndfkjdfnbfklfnf.exe 100 PID 5012 wrote to memory of 3820 5012 jhdfkldfhndfkjdfnbfklfnf.exe 100 PID 4712 wrote to memory of 928 4712 RegAsm.exe 102 PID 4712 wrote to memory of 928 4712 RegAsm.exe 102 PID 4712 wrote to memory of 928 4712 RegAsm.exe 102 PID 4712 wrote to memory of 928 4712 RegAsm.exe 102 PID 4712 wrote to memory of 928 4712 RegAsm.exe 102 PID 4712 wrote to memory of 928 4712 RegAsm.exe 102 PID 4712 wrote to memory of 928 4712 RegAsm.exe 102 PID 4712 wrote to memory of 4528 4712 RegAsm.exe 104 PID 4712 wrote to memory of 4528 4712 RegAsm.exe 104 PID 4712 wrote to memory of 4528 4712 RegAsm.exe 104 PID 4712 wrote to memory of 4528 4712 RegAsm.exe 104 PID 4712 wrote to memory of 4528 4712 RegAsm.exe 104 PID 4712 wrote to memory of 4528 4712 RegAsm.exe 104 PID 4712 wrote to memory of 4528 4712 RegAsm.exe 104 PID 4712 wrote to memory of 744 4712 RegAsm.exe 106 PID 4712 wrote to memory of 744 4712 RegAsm.exe 106 PID 4712 wrote to memory of 744 4712 RegAsm.exe 106 PID 4712 wrote to memory of 744 4712 RegAsm.exe 106 PID 4712 wrote to memory of 744 4712 RegAsm.exe 106 PID 4712 wrote to memory of 744 4712 RegAsm.exe 106 PID 5012 wrote to memory of 2612 5012 jhdfkldfhndfkjdfnbfklfnf.exe 108 PID 5012 wrote to memory of 2612 5012 jhdfkldfhndfkjdfnbfklfnf.exe 108 PID 5012 wrote to memory of 2612 5012 jhdfkldfhndfkjdfnbfklfnf.exe 108 PID 5012 wrote to memory of 4016 5012 jhdfkldfhndfkjdfnbfklfnf.exe 111 PID 5012 wrote to memory of 4016 5012 jhdfkldfhndfkjdfnbfklfnf.exe 111 PID 5012 wrote to memory of 4016 5012 jhdfkldfhndfkjdfnbfklfnf.exe 111 PID 5012 wrote to memory of 4836 5012 jhdfkldfhndfkjdfnbfklfnf.exe 114 PID 5012 wrote to memory of 4836 5012 jhdfkldfhndfkjdfnbfklfnf.exe 114 PID 5012 wrote to memory of 4836 5012 jhdfkldfhndfkjdfnbfklfnf.exe 114 PID 5012 wrote to memory of 4080 5012 jhdfkldfhndfkjdfnbfklfnf.exe 116 PID 5012 wrote to memory of 4080 5012 jhdfkldfhndfkjdfnbfklfnf.exe 116 PID 5012 wrote to memory of 4080 5012 jhdfkldfhndfkjdfnbfklfnf.exe 116 PID 5012 wrote to memory of 452 5012 jhdfkldfhndfkjdfnbfklfnf.exe 118 PID 5012 wrote to memory of 452 5012 jhdfkldfhndfkjdfnbfklfnf.exe 118 PID 5012 wrote to memory of 452 5012 jhdfkldfhndfkjdfnbfklfnf.exe 118 PID 5012 wrote to memory of 904 5012 jhdfkldfhndfkjdfnbfklfnf.exe 120 PID 5012 wrote to memory of 904 5012 jhdfkldfhndfkjdfnbfklfnf.exe 120 PID 5012 wrote to memory of 904 5012 jhdfkldfhndfkjdfnbfklfnf.exe 120 PID 5012 wrote to memory of 2104 5012 jhdfkldfhndfkjdfnbfklfnf.exe 122 PID 5012 wrote to memory of 2104 5012 jhdfkldfhndfkjdfnbfklfnf.exe 122 PID 5012 wrote to memory of 2104 5012 jhdfkldfhndfkjdfnbfklfnf.exe 122 PID 5012 wrote to memory of 868 5012 jhdfkldfhndfkjdfnbfklfnf.exe 124 PID 5012 wrote to memory of 868 5012 jhdfkldfhndfkjdfnbfklfnf.exe 124 PID 5012 wrote to memory of 868 5012 jhdfkldfhndfkjdfnbfklfnf.exe 124 PID 5012 wrote to memory of 1560 5012 jhdfkldfhndfkjdfnbfklfnf.exe 126 PID 5012 wrote to memory of 1560 5012 jhdfkldfhndfkjdfnbfklfnf.exe 126 PID 5012 wrote to memory of 1560 5012 jhdfkldfhndfkjdfnbfklfnf.exe 126 PID 5012 wrote to memory of 704 5012 jhdfkldfhndfkjdfnbfklfnf.exe 130 PID 5012 wrote to memory of 704 5012 jhdfkldfhndfkjdfnbfklfnf.exe 130 PID 5012 wrote to memory of 704 5012 jhdfkldfhndfkjdfnbfklfnf.exe 130 PID 5012 wrote to memory of 3100 5012 jhdfkldfhndfkjdfnbfklfnf.exe 132 PID 5012 wrote to memory of 3100 5012 jhdfkldfhndfkjdfnbfklfnf.exe 132 PID 5012 wrote to memory of 3100 5012 jhdfkldfhndfkjdfnbfklfnf.exe 132
Processes
-
C:\Users\Admin\AppData\Local\Temp\50f6e215f2e575c658c0d5f6b30c0920_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\50f6e215f2e575c658c0d5f6b30c0920_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exeC:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe03⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpC5FF.tmp"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpC871.tmp"4⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpC8C0.tmp"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:744
-
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:3820
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2612
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4016
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4836
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4080
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:452
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:904
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2104
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:868
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1560
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:704
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:3100
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2468
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:3268
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:3500
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:5000
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2964
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4276
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:60
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:8
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:396
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:532
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:3596
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4080
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:904
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:3040
-
-
-
C:\ProgramData\winmgr119.exeC:\ProgramData\winmgr119.exe1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4932
-
C:\ProgramData\winmgr119.exeC:\ProgramData\winmgr119.exe1⤵
- Executes dropped EXE
- NTFS ADS
PID:3308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD56bb02e37584d0c2e750a0297a9775779
SHA10a7516700424854f919881a371b1910aabacd4ca
SHA256fabddec5890d41e42c8785b5c8bf57bebd65383011d356513c4fa3a3fb4c94f3
SHA512705d5720cf4f8a672b2f4bad4690a73e6088e48385bf183d82abf86a77c7fee414dff6fd1db2b7a4933cd450be6b977318f198011475b3084b98711c28ff3356
-
Filesize
8B
MD5582e4f7347e8162ec3b7b7b15c9d9e52
SHA188bd439075e0569c78986ca7b94e0cd346919ac1
SHA25607cf6e14af7c4376ab38f53e40019d81541ace5604f1bd3f60fe725a73505556
SHA512131e13ed8745ff68f9356402f640c7eaae0ac2b57949cceddabf96a932bc9b1b9da0cf721c9a7395223b7aeaf57933a995f2048d6eb2cede3a0570bf19202938
-
Filesize
2.6MB
MD5d797725e1eca2c0aee3e20ff98e00899
SHA14cabbcad63855e12744e32ee753e76d0e55411fc
SHA256a73830dac0550641f75fad9b9b8887344353843daa5959dfa40fdffe1dde4600
SHA5125f2dda677a61e75962d30fd671fdc2588f92d2260a45660f5f98ef841ab519a29499d16e857af0afdc1a15b4b0cdaf50a473c87288e1af87b230f33567ba0f4e
-
Filesize
1KB
MD5b0cc2e6f2d8036c9b5fef218736fa9c9
SHA164fd3017625979c95ba09d7cbea201010a82f73f
SHA256997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50
SHA512a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b
-
Filesize
400B
MD5de4e5ff058882957cf8a3b5f839a031f
SHA10b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72
-
Filesize
391B
MD53525ea58bba48993ea0d01b65ea71381
SHA11b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA5125aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986